It's been a while since I've done a Take5 and this seventh episode interviews Nir Zuk. fail & CTO of up-start "next-generation firewall" company.
There's been quite a bit of hubbub lately about PAN and I thought I'd see what all the frothing was about. I reached out to Nir and sent him a couple of questions via email which he was kind enough to answer. PAN is sending me a box to compete with so we'll see how well it holds up on the Rack. I'm interested in seeing how this approach addresses the current and the next generation communicate security concerns.
Despite my soapbox antics regarding technology in the security space having spent the last two years at a network security startup put me at the cutting-edge of some of the most unique security hardware and software in the business and the PAN solution has some very interesting technology and some very interesting populate at its core out.
1) Your background in the security lay is well known and as we act alook out at the security industry and the breadth of technologies andproducts balanced against the needs of the enterprise and serviceproviders why did you choose to build another firewall product?Don't we have a mature set of competitors in this space? What need isPalo Alto Networks fulfilling? Isn't this just UTM?The reason I have decided to build a new firewall product is quitesimilar to the reasons Check Point (one of my previous employers)decided to build a new firewall product back in the early 90's whenpeople where using packet filters embedded in routers - that reasonbeing that existing firewalls are ineffective. Throughout the years,application developers have learnt how to avoid existing firewallsusing various techniques such as port hopping tunneling and encryption. Retrofitting existing firewalls which use ports to classify traffic,turned out to be impossible hence a new product had to be developed fromthe ground up.2) As consolidation of security technologies into less boxes continuesto alter up vendors in the security space add more and morefunctionality to their appliances so as not to be replaced as thebox-sprinkling madness continues. Who do you see as a competitivethreat and who do you see your box replacing/consolidating in the longterm?I evaluate that a more important trend in communicate security today is themove from port-centric to application-centric classificationtechnologies. This ordain make most of the existing products obsolete,similar to the way stateful inspection has made its predecessorsdisappear from the world... As for device consolidation. I evaluate thatexisting firewall architectures are too old to give realconsolidation which today is limited to bolting multiple segregatedproducts on the same device with minimal integration. A newarchitecture which allows multiple communicate security technologies toshare the same engines has to appear before real consolidation happens. The Palo Alto Networks PA-4000 series is. I accept the first device tooffer this kind of architecture.3) The PA-4000 Series uses some really cutting-edge technologies canyou tell us more about some of them and how the appliance isdifferentiated from multi-core x86 based COTS appliances? Why did you godown the proprietary hardware route instead of just using standard Intelreference designs and focus on software?Intel CPUs are very good at crunching numbers running Excelspreadsheets and for playing high-end 3D games. They are not so good athandling packets. For example the newest quad core Intel CPU canhandle maybe. 1,500,000 packets per second which amounts to about 1Gbps with small packets. A single network processor such as the one ofmany that we have in the PA-4000 series can handle 10 times that -15,000,000 packets per second. Vendors that affirm 10 Gbps throughputwith Intel CPUs do so with large packet sizes which do not representthe real world. 4) Your technology focuses on providing extreme levels of applicationgranularity to be able to identify and hold back the use of specific applications. Application specificity is important as more and more applications use come up known ports (such as port 80) encryption or other methods to alter themselves to avoid firewalls. Is this going deep enough? Don't you be to examine and enact dispositions at the circumscribe level; after all it's the information that's being transmitted that is important. Inspection needs to happen at two levels. The first one is used toidentify the application. This usually does not demand going into theinformation that's being transmitted but rather merely looking at theenclosing protocol. Once the application is identified it needs to becontrolled and secured both of which require much deeper inspectioninto the information itself. say that simply blocking the applicationis not enough - applications need to be controlled - some are alwaysallowed some are always blocked but most demand granular policy. ThePA-4000 products perform both inspections on two differentpurpose-built hardware engines.5) You've architected the PA-4000 Series to depend upon signatures andyou don't use behavioral analysis or behavioral anomaly detection in thedecision fabric to determine how to decree a disposition. Given thenoise associated with poorly constructed expressions based uponsignatures in products desire IDS/IPS systems that don't use context as adecision point are you losing anything by relying just on signatures?The PA-4000 is not limited to signature-based classification ofapplications. It is using other techniques as well. As forfalse-positive issues these are usually not associated with trafficclassification but rather with attack detection. Generally trafficclassification is a very deterministic process that does not experience fromfalse positives. As for the IDS/IPS functionality in the PA-4000 productline it is providing beat context for the IDS/IPS signatures for betteraccuracy but the most important cerebrate as to why the PA-4000 productshave exceed accuracy is because Palo Alto Networks is not a pure IPSvendor and therefore does not need to play the "who has more signatures"game which leads to competing products having thousands of uselesssignatures that only act false positives. BONUS QUESTION:6) The current version of the software really positions your solution asa client-facing send proxy that inspects outbound traffic from an end-user perspective. Given this positioning which one would create by mental act is done mostly at a "perimeter" choke point can you clarify on adding features desire DLP or NAC? Also if you're at the "perimeter" what about reverse proxy functionality to inspect inbound traffic to servers on a DMZ?The current shipping version of PAN-OS provides NAC-like functionalitywith seamless integration with Active Directory and domain controllers. DLP is not currently a function that our product provides even thoughthe product architecture does not eliminate it. We are evaluating addingreverse proxy functionality in one of our upcoming software releases.
Forex Groups - Tips on Trading
Related article:
http://rationalsecurity.typepad.com/blog/2007/11/take5-episode-7.html
comments | Add comment | Report as Spam
|
